190139 – [WPE] fix buffer over-read in RenderThemeWPE::mediaControlsStyleSheet()

Bug 190139 - [WPE] fix buffer over-read in RenderThemeWPE::mediaControlsStyleSheet()

Summary: [WPE] fix buffer over-read in RenderThemeWPE::mediaControlsStyleSheet()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WPE WebKit (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-10-01 08:01 PDT by Olivier Blin
Modified:	2018-10-01 10:19 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Patch (2.03 KB, patch) 2018-10-01 08:03 PDT, Olivier Blin	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Olivier Blin 2018-10-01 08:01:41 PDT

Like done for EFL in r210213, see https://bugs.webkit.org/show_bug.cgi?id=166622

This has been detected by a charactersAreAllASCII() assert failure.

This is because ASCIILiteral() is wrongly used in mediaControlsStyleSheet().
mediaControlsBaseUserAgentStyleSheet is a char array, not a null-terminated string.
It is thus incorrect to use StringImpl::createFromLiteral() that calls strlen() to get the string length.

The String::ConstructFromLiteral constructor can not be used, since it skips the last character.

Comment 1 Olivier Blin 2018-10-01 08:03:33 PDT

Created attachment 351246 [details]
Patch

Comment 2 WebKit Commit Bot 2018-10-01 10:19:54 PDT

Comment on attachment 351246 [details]
Patch

Clearing flags on attachment: 351246

Committed r236666: <https://trac.webkit.org/changeset/236666>

Comment 3 WebKit Commit Bot 2018-10-01 10:19:56 PDT

All reviewed patches have been landed.  Closing bug.